Steadefi

DeFiHardhatFoundryOracle

35,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Contract Storage Inconsistencies from Deposit Reverts

hunter_w3b

Summary

The deposit() function directly updates on-chain storage upon receiving a deposit transaction, however the token transfer may revert before completing. This could leave storage in an invalid state.

Vulnerability Details

When a user calls deposit(), storage modifications like updating the deposit cache occur immediately. But the token transfer instruction executes separately, and has the potential to revert prior to completion. If this occurs, storage would be prematurely updated, risking inconsistencies.

function deposit(

GMXTypes.Store storage self,

GMXTypes.DepositParams memory dp,

bool isNative

) external {

Reproduction Steps:

User deposits tokens by calling deposit()
Function triggers storage updates like to the deposit cache
Token transfer executes independently
Before transfer settles, it reverts
But storage was already modified out of sync

Impact

Storage inconsistencies if transfer reverts after updates

Tools Used

Manual Review

Recommendations

Defer storage changes until after validating token arrival

Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

2,289

15 USDC / LOC

High Medium

33,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.